ocsp.verisign.com ipv6 dns broken?

Florian Lohoff f at zz.de
Fri Oct 19 18:19:43 CEST 2012

On Fri, Oct 19, 2012 at 11:55:22AM -0400, Bill Owens wrote:
> On Fri, Oct 19, 2012 at 05:02:01PM +0200, Florian Lohoff wrote:
> > 
> > Hi,
> > 
> > is this a known issue? Asking for AAAA or ANY just 
> > does not give ANY response which obviously breaks down
> > for any resolver trying to be clever and retrieving 
> > quad-A records together with a A RR
> It is perhaps more correct to say that DNS for ocsp.verisign.net is broken. . .

Yep - it happened to me that i had websites with multiple different
certificates where all CAs ocsps were a CNAME to verisign
(ocsp.thawte.com is an example) which resulted in a delay of >45 seconds
loading the page - Firefox times out an ocsp query after 10 seconds it

> Given the not-exactly-helpful response I received from Verizon back in
> the spring I'm not anxious to email them about this, but you might
> want to give it a try. Perhaps this time they'll be less unhappy at
> having their problems pointed out ;)

I send an email to vshostmaster ... lets see - for now i have entries
in /etc/hosts which resolves to 127.0.0.X which gives an connection
refused but now the pages load again ...

Florian Lohoff                                                 f at zz.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 828 bytes
Desc: Digital signature
Url : http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20121019/640521ec/attachment.bin 

More information about the ipv6-ops mailing list